Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2786
Views
0
Helpful
7
Replies

Content filters for outgoing email addresses don't seem to work

zheka_pefti
Level 2
Level 2

‎09-20-2018 06:41 PM - edited ‎09-20-2018 07:00 PM

Hello folks,

I ran into a weird situation when I created a content filter for "envelop sender" email address to specifically block them but Ironport didn't seem to do anything about it. Ironport receives all mail from the internal company mail server or rather relays it.

To be more detailed about it is what I did. 

Mail policies - Outgoing content filters

Condition - envelope sender equals to specific email address

Action - drop.

Then this filter is attached to the outgoing policy.

What I see in the mail log is that emails from those addresses are still queued for delivery and attempted to be sent out.

Moreover, I manually created filters for the same specific email addresses from CLI with "filters" command.

Absolutely no effect at all. Could it be that the host that is in Relay sender group in the HAT table explicitly trusted?

How would I build an outgoing filter at all? I want to be able to drop emails from a number of users and I know that they send spam but the verdict for spam is also negative. Totally swamped by this issue

 

Eugene

Labels:
0 Helpful
7 Replies 7

dmccabej
Cisco Employee
Cisco Employee

‎09-21-2018 07:39 AM

Hello,

 

You can check the following typical offenders regarding your content filter not triggering.

 

1) Make sure the email is hitting the correct Sender Group --> Mail Flow Policy --> Incoming or Outgoing Mail Policies --> Mail Policy

2) Confirm the Content Filter is enabled on the correct Mail Policy

3) Confirm the and/or logic of the Content Filter itself (If you have multiple sender conditions, you may need to change to 'If one' matches instead of 'All')

 

Regarding the Spam query, you can check the corresponding Mail Flow Policy to see if Anti-Spam is enabled; however, also keep in mind that what may look like Spam to you may not necessarily be considered Spam to others. 

 

Thanks!

-Dennis M.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to dmccabej

‎09-22-2018 04:21 AM - edited ‎09-22-2018 04:33 AM

Hi Dennis,

Appreciate your time and willingness to help. Your instructions all look like generic recommendations and I don't manage Ironport the first day so whatever I did all is aligned to what you advised. Once again, there are two email addresses that I wanted to block and they are added into condition rules with "if one or more conditions match".

First of all, does it really matter if I use "equals" or "contains" for "envelope sender". I remember I once had TAC case and the engineer said that in some cases it really matter. Which I don't understand as I used the full email address so technically for the parser it shouldn't matter. 

Second, is there any way to debug the mail flow processing for a particular email when it is processed by an outgoing mail policy? And another screenshot shows that the content filter "Temp_bad_senders_block" is enabled in this policy

I also attached an extract from the message tracking and I see that the spam-like email matches "per-recipient policy DEFAULT for outbound mail policies". I do have an outgoing mail policy but it is not an outbound one. Is it not the same ? If not, where would I find it? My outgoing mail policy looks like it is shown at the screenshot attached.

 

 

Preview file
37 KB
Preview file
139 KB
Preview file
70 KB
0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to zheka_pefti

‎09-23-2018 06:14 PM

Hello,

 

You're correct that the tracking information you provided shows the email being tied to the DEFAULT policy under the Outgoing Mail Policies section. So, your screenshots show the proper mail policy and content filters that this email should be hitting. Oddly though, we can see below that it does not seem to be hitting either of the filters. 

 

Would you be able to provide a screenshot of the filters that are setup (Eg: the conditions and actions for them)? Equals/contains/Etc can definitely matter, especially if there's added spacing involved, so I normally recommend to use contains. Though, I'm not sure that's the cause here. The capitalization can also impact the filters success. 

 

To debug and simulate the message, you can use the Trace function in the GUI under the System Administration tab.

 

Thanks!

-Dennis M.

 

20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 matched per-recipient policy DEFAULT for outbound mail policies.
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 scanned by Anti-Spam engine: CASE.Interim verdict:Negative
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 scanned by Anti-Spam engine: CASE. Final verdict: Negative
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 scanned by Anti-Virus engine. Final verdict: Negative
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 scanned by Outbreak Filters. Verdict: Negative
20 Sep 2018 14:54:47 (GMT -07:00) Message 1490222 queued for delivery.

 

 

0 Helpful

zheka_pefti
Level 2
Level 2
In response to dmccabej

‎09-24-2018 05:20 AM - edited ‎09-24-2018 05:26 AM

Ok, Dennis, let me show you what I did in much greater detail.

Here's the spammer activity, I show the screenshot from Message Tracking, the user email address is joe.woodworth@options.bc.ca

Yes, Ironport puts the email into the spam quarantine but I don't want it to waste its resources and immediately drop it.

Hence, I created the outgoing content filter as the other screenshot shows and attached it to the default policy. See attached screenshots with corresponding names.

Now if I do trace from System administration the email successfully goes through.

 

And by the way, there's something wrong with this forum and its function of files attachment. I can't attach more than one file before I click "post". Only after I post it and then go to edit this message then I can I add more attachments

 

 

Preview file
99 KB
Preview file
139 KB
Preview file
200 KB
Preview file
223 KB
Preview file
70 KB
0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to zheka_pefti

‎09-25-2018 02:55 PM

Hello,

 

It looks like either you shared the incorrect filter, or you're perhaps creating a filter on an incoming mail policy when you wish to set one up on the outgoing mail policy.

 

Name of the filter you shared : temp_email_address_block

Name of the filters shown on the outgoing mail policy : Temp_bad_senders_block and Outgoing_mail_filter

 

Thanks!

-Dennis M.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to dmccabej

‎09-26-2018 09:03 AM

Hi Dennis,

I recreated this filter for the outgoing mail policy again today with yet another email address that was noticed in sending spam-like emails and ESA started dropping them. I swear I did all filters correctly and the difference that you caught was because I attached the wrong screenshot. Anyways, as usual, appreciate your fresh pair of eyes. Thanks!

 

Eugene

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to zheka_pefti

‎09-26-2018 09:34 AM

You're very welcome and I'm glad that I was able to assist. :) If you run into any other snags let me know.

 

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents